oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,148 Commits 2 Branches 2 Tags
abad8d5700684dd95dc69b51f73cd418871e2259
Commit Graph

28148 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Love Hörnquist Åstrand
4bff0fbb31 check for NULL as argument to krb5_{prepend,set}_error_message functions 2011-07-23 12:06:01 -07:00
Love Hörnquist Åstrand
75987ebbae update to match plugin abi 2011-07-23 11:59:06 -07:00
Stefan Metzmacher
296548d34a kdc: pass down the delegated_proxy_principal to the verify_pac() function 
This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
626d2607d5 kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5 
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d49 in heimdal/master
 and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master)
changed the windc_plugin interface, so we need to change the
version number.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
aabb937b46 kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given 
A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
6cb0e81760 kdc: pass down the server hdb_entry_ex to check_constrained_delegation() 
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
d6a56b847b kdc: use the correct client realm in the EncTicketPart 
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Love Hörnquist Åstrand
fb8c65a8c2 better logging 2011-07-23 11:44:42 -07:00
Love Hörnquist Åstrand
12403a31ce sprinkle more windows files 2011-07-23 11:18:21 -07:00
Jelmer Vernooij
0b3c720c01 cf: Also enable pthreads on Linux 3. 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-07-23 09:22:51 -07:00
Nicolas Williams
dfc7ec92fa Make kadm5_lock() and unlock work, and add kadmin commands for them. 
The libkadm5 functions hdb_open() and close around all HDB ops.  This
meant the previous implementation of kadm5_lock() and unlock would
always result in a core dump.  Now we hdb_open() for write in
kadm5_lock() and hdb_close() in kadm5_unlock(), with all kadm5_s_*()
functions now not opening nor closing the HDB when the server context
keep_open flag is set.

Also, there's now kadmin(8) lock and unlock commands.  These are there
primarily as a way to test the kadm5_lock()/unlock() operations, but
MIT's kadmin.local also has lock/unlock commands, and these can be
useful for scripting (though they require much care).
 2011-07-22 21:07:48 -05:00
Nicolas Williams
43c5244ecc Fix from Roland Dowdeswell -- kadm5_setkey_principal() has to rev kvno earlier 2011-07-22 16:18:44 -05:00
Nicolas Williams
e23a1efdc9 Fixes for updates of KADM5_KVNO but not KEY_DATA and vice-versa. 
It turns out that updates of kvno but not key data and vice-versa are
both, allowed and actually done (e.g, in kadmin's ank).  Doing the right
thing in these cases turns out to be a bit tricky, but this commit ought
to do it.
 2011-07-22 16:07:10 -05:00
Nicolas Williams
dae01950a2 add_enctype needs to set the kvno of the keys it adds! 
add_enctype() was not fetching the kvno of the principal it was
modifying, and it was not setting the kvno of the new keys (instead it
set it to 0).  This worked fine before multi-kvno, but broke then.  The
fix is to fetch the kvno and set the new keys' kvno to that.

I'm thinking of adding a new kadmin command to prune old kvnos by date
or kvno differential...
 2011-07-22 16:07:10 -05:00
Nicolas Williams
1edc2cee45 Test multi-kvno support in kadmin and KDC (part 1). 2011-07-22 16:07:10 -05:00
Nicolas Williams
1e14951592 Preserve set_time on historic keysets in kadm5_s_modify_principal() path. 2011-07-22 16:07:10 -05:00
Nicolas Williams
0f53687346 Two mods from Roland to make kadm5_setkey_principal_3() work. 2011-07-22 16:07:09 -05:00
Nicolas Williams
4f5dbf2f81 Two patches from Roland Dowdeswell to make n_keys/new_keys args optional. 2011-07-22 16:07:09 -05:00
Nicolas Williams
c818890dd7 Re-write _kadm5_set_keys2() to handle key history. 2011-07-22 16:07:08 -05:00
Nicolas Williams
1eb56edd86 Introduce Keys ::= SEQUENCE OF Key in hdb.asn1 so we can get convenience utils. 2011-07-22 16:07:08 -05:00
Nicolas Williams
689d4f4dd9 Another HDB_F_DECRYPT-isn't-critical fix. 2011-07-22 16:07:08 -05:00
Nicolas Williams
5335559845 Oops, HDB_F_DECRYPT isn't critical; making it so breaks tests. 2011-07-22 16:07:08 -05:00
Nicolas Williams
a246c394d2 Fix warnings. 2011-07-22 16:07:08 -05:00
Nicolas Williams
e020dc25b8 Fix a double free in ank.c. 2011-07-22 16:07:08 -05:00
Nicolas Williams
f2897efd09 Make the KDC path work. 2011-07-22 16:07:08 -05:00
Nicolas Williams
e23c7a7daf How on earth did this build breaking thinko get through? 2011-07-22 16:07:07 -05:00
Nicolas Williams
9d6d3ee5f3 Fixed a likely bug in modify_principal() where the memset() of ent happens after early error checking. 2011-07-22 16:07:07 -05:00
Nicolas Williams
07370612bd Remove policy name checking against krb5.conf code. 2011-07-22 16:07:07 -05:00
Nicolas Williams
87742e8118 Add missing KADM5_AUTH_GET_KEYS error and use it. 2011-07-22 16:07:07 -05:00
Nicolas Williams
ed511e06f9 Updated kadmind.8 and kadmin.8. 2011-07-22 16:07:07 -05:00
Nicolas Williams
909653e50f Add comment and assert about key history to kadm5_log_replay_modify() 2011-07-22 16:07:07 -05:00
Nicolas Williams
b16ca34642 Fix incorrect key history check optimization. (NOT TESTED) 2011-07-22 16:07:07 -05:00
Nicolas Williams
784e6a69df Avoid useless work related to keepold. 2011-07-22 16:07:07 -05:00
Nicolas Williams
9adb40a06e Forgot to export the kadm5 policy functions. 2011-07-22 16:07:06 -05:00
Nicolas Williams
31974aa24c More s/int/size_t/ for iterators. Also fixed a stupid bug. 2011-07-22 16:07:06 -05:00
Nicolas Williams
f2bb83c088 Add default to policy prompt and fix harmless bug in edit_policy() 2011-07-22 16:07:06 -05:00
Nicolas Williams
a1203a703d Re-fix an earlier mistake that fell out in a branch switcheroo. 2011-07-22 16:07:06 -05:00
Nicolas Williams
0d90e0c4d0 Complete --keepold support and fix crasher in kadmin cpw -r --keepold. 2011-07-22 16:07:06 -05:00
Nicolas Williams
2510d2d8fc Oops, reverse sense of get-keys check... 2011-07-22 16:07:06 -05:00
Nicolas Williams
f15745c60c Forgot to save edits to kadmin/server.c to use the new get-keys authorization. 2011-07-22 16:07:06 -05:00
Nicolas Williams
558a8d05a6 Forgot to export kadm5_store_principal_ent_nokeys(). 2011-07-22 16:07:06 -05:00
Nicolas Williams
fad463bbd9 Fix policy validation bug (parse_policy() should return success when the policy name is OK!) 2011-07-22 16:07:06 -05:00
Nicolas Williams
a35ea4955a create_principal() must memset(ent, 0, ...) before ever returning (fixes core dump) 2011-07-22 16:07:06 -05:00
Nicolas Williams
cf1c898e95 Undo a s/size_t/int/. Iterators must be unsigned. 2011-07-22 16:07:05 -05:00
Nicolas Williams
0674e4b13a Ooops! Mind those tags when re-ordering ASN.1 SEQUENCEs! (hdb_keyset) 2011-07-22 16:07:05 -05:00
Nicolas Williams
4b0245d096 Export the new kadm5 functions. 2011-07-22 16:07:05 -05:00
Nicolas Williams
e16360e2db Add --keepold option to cpw. 2011-07-22 16:07:05 -05:00
Nicolas Williams
acc8cd4b22 Duh, act on keepold in randkey! 2011-07-22 16:06:25 -05:00
Nicolas Williams
af23757829 Trivial policy bug fix. 2011-07-22 16:06:01 -05:00
Nicolas Williams
e7ea698366 Fixed dumb bug that caused keys to not accumulate in history. 2011-07-22 16:06:01 -05:00